Virtual Attacks – the Cheapest compromise of all.
I have been watching the growing discussion surrounding Mitt Romney’s tax return and PWC with interest. What is fascinating is that the actual facts of the case are pretty immaterial. The twitter feeds and blogs are buzzing with discussion (I am as guilty as the next man) surrounding Mitt Romney’s tax return, PWC have vigorously rejected claims that their security has been breached. The debate will roll on… and on…. till it is supplanted by another debate – but we will still read it and form our opinions!
The next stage will doubtless involve conspiracy theories – is this a marketing ploy by PWC? (unlikely but not impossible), is this a cunning trick to increase Mitt Romney’s news coverage?….who knows. The key thing is that the majority of the debate is about the incident rather than the principal issue.
We, the global consumer base, fall upon these stories like a swarm of leaf cutter ants. We snip them up and put them together in a shape that makes sense to us. Unlike the “professional media” (!) many of us do insufficient fact checking before we move things on and thus the stories evolve. The enormous speed at which information flies means that the evolution of a story often becomes the issue, rather than the issue itself.
We consume the information and we move on, having informed our opinions and made our decisions. This morning’s news is history by lunchtime and the facts of the case have been consigned to the waste with our sandwich wrappers. This is not a new phenomenon, but is exacerbated by the current high tempo news environment.
This situation provides a significant opportunity for attackers – especially in an economic environment where many organisations are vulnerable to adverse publicity, where bank covenants are at risk and where markets are volatile. One doesn’t necessarily need to actually compromise a system – merely to create a credible enough story that a successful attack has occurred. Business Systems (this is not just about technology as the Romney Tax return case shows) are often so complicated that it can be very difficult to confirm that an attack has not taken place. This is especially relevant if the potential impact surrounds the integrity of information rather than it’s confidentiality.
The problem becomes one of trust – and the relationship we have with those on whom we are dependent. If an attacker can effectively and credibly target that trust relationship, using the turbo charged information superhighway, then perhaps it will save him from actually having to compromise any actual systems.
What can we do about it? – The answer is easy to say and harder to deliver…. We need to understand what we are doing and the services on whom we depend. We need to understand our tolerances; what compromise we can or cannot do without. We need to understand when a problem becomes unacceptable. Finally we need to have thought about what we are going to do when the inevitable happens.
The Information Frontier – Mad Dogs and Thieving Mongrels
Whilst browsing the twitter blizzard this morning, I came on the article about the attack on the Cambodian Government:
As luck would have it, I came on this just after I had fielded an attempted social engineering call on my home phone from a delinquent pretending to sell me Satellite TV. This mongrel was pretending to update my account in return for my credit card details (despite the fact that I pay by direct debit). To begin with, he was very plausible and quite credible. At the time, I gave him a flea in the ear and moved on – though had that attack (and that is what it was) been successful, it could have cost me or one of the organisations with whom I do business many thousands of pounds.
Whilst traveling to work, It struck me that he would probably have got away with it with many people I know and it gave me pause for thought about safety in the environment in which we all live.
Whilst this type of anarchist bullying, fraud and banditry is morally repugnant in almost any culture (see my previous post on bullying) – I believe there is a positive that we can draw from this; a culture of increased threat awareness. The Information Security discipline has long been hamstrung by complacency; when the difficult decision about resourcing security controls has been tabled, security has long been consigned to the nice to have but not urgent list. This flies in the face of reality where the threat is real and people, companies and governments are being attacked on a daily basis.
Though things have got better in the past couple of years – we still see corporate heads being stuck in the sand when budgets are set. This is mirrored in our private behavior- I still remain staggered by the people who still do not have up to date anti virus software on their home computers because of the cost (or in some cases the brand of their computer!). In my experience, this complacency has often been driven by the lack of a perceived threat of sufficient relevance.
By behaving like mad dogs, hactivist organisations have brought a frontier feeling to business, certainly any organisation which does business or interacts with targetable organisations or people – (and when we look at our value chain honestly, this includes most of us). This is exacerbated by the value of information crime to the thieving mongrels of the professional criminal community who do a very good job of bringing the frontier spirit to our homes, our children and our parents.
When we look at it frankly – though we live in a world where we are wrapped the cotton wool of health & Safety and trading standards, the one area where we really cannot rely on society for our safety is the information space (this is more than just Cyber). The information space, where we exist daily on our telephones, email, online banking and social networks and on which we depend for most of our critical life support, is effectively wild. We apply protection to various services on an individual basis, but cannot guarantee the safety of the environment. I was attacked (fortunately unsuccessfully) this morning in my own home, and I treated it as part of daily life. That is instructive.
We live in frontier country of the information environment and though there are rules, the bad guys don’t play by them. Whoever we are and wherever we are,our protection, and that of our families and companies is in our own hands. In the final analysis we cannot rely on society but must take responsibility for our own safety. This is a responsibility that we should probably take more seriously.
Cyber Bullying – assertion or self proclaimed cowardice?
I note increasing debate about the prevalence of online bullying, cyber trolls and general abuse online. Though this behaviour is generally considered unacceptable in many modern societies, we should not be surprised by it. Indeed, we can learn from it as we manage it as we do in other parts of society.
One of the amazing benefits of online interaction is that people do not need to be in the same place to communicate in real time. Whilst has huge benefits, it does have disadvantages. Online interaction filters out many of the communication cues that we instinctively rely on. In short, online interaction only involves part of the message.
This makes some things harder; nuance or dry humour can often be lost – the twinkle in an eye needs to be typed. Emoticons and arcane abbreviations only achieve so much.
Some things, however, become easier. We all know that “difficult conversations” are easier if we do not have to look the other person in the eye. We also know that this is precisely why some things should be done face to face. This is nothing to do with technology, but is simple “good manners” and a function of the moral courage to which most of us aspire (forgive my naive optimism). This brings us back to Cyber Bullying….
Historically cowardice has been one of the hallmarks of a bully, most of us learn this in the school playground and use it to manage the problem. It goes without saying that finding a workable strategy is often fraught with difficulty, and we must all find our own way. For me, the secret has always lain in the realisation that bullying is not a demonstration of strength, but of weakness and cowardice masked by aggression. Once I understood this, it always became easier to manage unacceptable behaviour; it gave me the initiative.
Is it always as simple as this? Of course not! In many cases “bullying” may simply be an inability or unwillingness to communicate. Having said that, given that communication is a two way process – one of the first things we must always consider is our own end of the communication channel – are we always projecting what we intend – and are we interpreting incoming communications in the spirit in which they were intended?
We have long been aware of the dangers of “flame mail” and the importance of not sending contentious emails immediately. Of course digital social interaction often exposes us to the worst of both worlds, with an immediacy of communication which is not tempered by having to look someone in the eye. Whilst flame mail and fully fledged bullying are not the same thing, there is no doubt that they are on the same spectrum. With this in mind, we must all be aware of our own responsibilities and the additional personal disciplines that are necessary if we are to use online media in an acceptable way.
Real bullying is deeply unpleasant and can be a real problem, but it is also an indication of deep weakness within the bully. In many cultures, aggression is seen as a positive attribute, and this is often misinterpreted as a vindication by bullies. I know of no culture where cowardice is seen as an attribute. The moment we understand this, the bully loses their power and we gain strength. If the online society can treat bullying as a sign of cowardice and weakness rather than as an evil strength, then perhaps it will become less attractive to those who practice it.
How should we respond to bullying? Rather than berating online bullies as aggressive and mean …. and feeding the habit, we should take a moment to think about what is actually happening… and if it is bullying, we should treat it with the contempt that it deserves. If appropriate, any action taken should reflect the weakness of the activity rather than its perceived strengths. This way we can make it culturally unacceptable in all cultures.
Tom Fairfax FBCS MBCI A.inst.IISP
Security Risk Management Ltd
07000 560298 DDL
07802 771 828 Mob